Newsletter 17/04/2023
This machine has a website that exposes a Git repository. Here we can read the source code of the web application and find out a way to bypass authentication in MySQL with Type Juggling. Then, we find another subdomain that has a public exploit to get RCE. After that, we discover a password generator tool that can be reverse-engineered to generate multiple passwords and crack a password-protected PDF document. Then, we get access via SSH and see that we can use sysctl as root with pinns as SUID binary. With this, we can modify the kernel configuration to run an arbitrary script with a program crashes, which leads to the privilege escalation
This machine has a website with a Local File Read vulnerability that can be used to read PHP source code and find a way to activate a new account. Then, we can perform a deserialization attack in PHP to get RCE. After that, we find a hashed password in the database that can be cracked and it is reused in the system. Finally, there’s a Cron task running by root to renew OpenSSL certificates and the script has a command injection vulnerability, which leads to the privilege escalation
HTB Cyber Apocalypse 2023
Personal write-ups from HTB Cyber Apocalypse 2023 with nice explanations, techniques and scripts
31 challenges
Crypto (8), Forensics (6), Hardware (1), Misc (5), Pwn (5), Reversing (1), Web (5)
64-bit binary. Heap exploitation. House of Spirit
Related messages attack. Modular arithmetic
RSA. Common modulus attack